CVE-2026-32320 in ellanetworks
Summary
by MITRE • 03/13/2026
Ella Core is a 5G core designed for private networks. Prior to 1.5.1, Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service. An attacker able to send crafted NGAP messages to Ella Core can crash the process, causing service disruption for all connected subscribers. No authentication is required. This vulnerability is fixed in 1.5.1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-32320 affects Ella Core, a 5G core network implementation specifically designed for private network deployments. This critical flaw resides within the network element's handling of NGAP (Next Generation Application Protocol) messages, which are essential for communication between 5G base stations and core network components. The vulnerability represents a denial of service condition that can be triggered without any authentication requirements, making it particularly dangerous for private network environments where security boundaries may be less strictly enforced. The affected version range indicates that all releases prior to 1.5.1 contain this flaw, suggesting a widespread impact across deployed private 5G networks.
The technical root cause of this vulnerability lies in the improper handling of UE Security Capabilities within PathSwitchRequest messages. When the system receives a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, the Ella Core process experiences a panic condition. This panic results in an abrupt process termination rather than graceful error handling, leading to complete service disruption for all connected subscribers. The flaw demonstrates poor input validation and error handling practices, where the system fails to properly validate the length of cryptographic algorithm bitstrings before attempting to process them. This behavior aligns with CWE-248, which addresses "Uncaught Exception" conditions, and represents a classic example of inadequate error handling in security-critical network infrastructure components.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise the entire private 5G network infrastructure. Since the attack requires only the ability to send crafted NGAP messages to the Ella Core system, an attacker can exploit this vulnerability from outside the network perimeter without requiring authentication credentials. This makes it particularly dangerous for private networks that may have limited security controls or monitoring capabilities. The denial of service affects all connected subscribers simultaneously, potentially disrupting critical industrial automation, IoT deployments, or other time-sensitive applications that rely on private 5G connectivity. The vulnerability's exploitation directly maps to ATT&CK technique T1499.004, "Network Denial of Service," and could enable further attacks by creating opportunities for network disruption that might mask other malicious activities.
The mitigation strategy for this vulnerability involves upgrading to Ella Core version 1.5.1 or later, which includes proper handling of zero-length bitstrings in UE Security Capabilities. Organizations should implement immediate patch management procedures to address this vulnerability across their private 5G deployments. Additionally, network monitoring should be enhanced to detect unusual NGAP message patterns that might indicate exploitation attempts. The fix demonstrates proper defensive programming practices where input validation is performed before processing cryptographic parameters, preventing the panic condition that previously occurred. Security teams should also consider implementing network segmentation and access controls to limit the potential impact of such vulnerabilities, ensuring that only authorized entities can communicate with the Ella Core system. This vulnerability highlights the importance of robust error handling in telecommunications infrastructure, particularly in 5G networks where service availability is critical for mission-critical applications.